blackhat 2014 owasp zap turbo talk
Post on 16-Apr-2017
1.617 Views
Preview:
TRANSCRIPT
OWASP ZAPTurbo Talk
Simon BennettsOWASP ZAP Project LeadMozilla Security Team
Plan
Introduce ZAP
Overview of the basics
Dive into some more advanced features
Overview of some work in progress
Perform more demos on the stand :Breakers JK Station 1
12:45 15:15 (after this talk)
What is ZAP?
Its completely free
Its a community project
The most active open source web appsec tool
Its NOT a clone of
A tool for beginners and pros
The ToolsWatch.org top security tool of 2013 ;)
Some Statistics
Released September 2010, fork of Paros
V 2.3.1 released May 2014, > 40k downloads
The most active OWASP Project
Highest activity category on Open Hub
31 active developers
Over 90 translators
Being translated into over 20 languages
Paros code ~ 20% ZAP code ~80%
Why should you care?
Its free
Its very powerful (if you know how to use it)
Its open source you can change anything
Its a community project you can get involved
Its a great environment to play in
It promotes innovation
Your clients could (should?) be using it
Its 'encouraging' commercial tools to improve
Its free (it is, but you're pros)
The basics
Yes, it does the basics
Maybe in a different way to your current tool
You'll work it out :)
Advanced stuff :)
Contexts
Advanced Active Scanning
Plug-n-Hack
Scripts
Zest
Contexts
Assign characteristics to groups of URLs
An application can be:One site
http://www.example.com
A subtree
http://www.example.com/app1
Multiple sites
http://www.example1.com
http://www.example2.com
Contexts
Allow you to define:Scope
Session handling
Authentication
Users
Structure
with more coming soon
Advanced Scanning
Gives you fine grained control over: Scope
Input Vectors
Custom Vectors
Policy
Accessed from: Right click Attack menu
Tools menu
Key board shortcut (default Ctrl-Alt-A)
Plug-n-Hack
Allows browsers and security tools to work better together
Developed by the Mozilla Security Team
Adopted by Burp and OWTF
V1 allows you to:Quickly configure your browser and security tool
Control your security tool from the browser
V2 allows you to intercept, change and fuzz client side messages
Scripting
Full access to ZAP internals
Invoked from all key parts of the ZAP core
Plugable you can add your own types
Support for all JSR 223 languages, incJavaScript
Jython
Jruby
Zest :)
Scripting
Different types of scripts Stand aloneRun when you say
TargetedSpecify URLs to run against
ActiveRun in Active scanner
PassiveRun in Passive scanner
ProxyRun 'inline'
AuthenticationComplex logins
Input VectorDefine what to attack
Zest
An experimental scripting language
Developed by Mozilla Security Team
Free and open source (of course)
Tool independent can be used in open and closed, free or commercial software
Format: JSON designed to be represented visually in security tools
Included by default in ZAP from 2.2.0
ZAP's macro language (on steroids)
Zest use cases
Reporting vulnerabilities to companies
Reporting vulnerabilities to developers
Defining tool independent active and passive scan rules
Deep integration with security tools
Work in progress
Zest client side recording
Sequence scanning
Google Summer of Code projects:Advanced access control testing
Advanced fuzzing
SOAP service scanning
Firefox Zest add-on
Mozilla Winter of Security projects:Scripted extensions
AMF support
Conclusion
ZAP is changing rapidly
Its the most active O/S web appsec security tool
Its great for people new to appsec ...
and also for security pros
If you dont know its capabilities, how can you know you're using the most appropriate tool?
Its a community based tool get involved
Come over to the stand to learn more :)
Thank you!
OWASP ZAPToolsWatch.org top security tool of 2013
For more info and demos:Breakers JK Station 112:45 15:15
top related